Policy and Basic Concept
The ITOCHU Group is exposed to various risks due to its wide range of business natures, such as market, credit, and investment risks. These risks include unpredictable uncertainties and may have significant effects on the ITOCHU Group's future financial position and business performance.
We acknowledge risk management as a key management issue. Therefore, we have established our basic risk management policy and develop necessary risk management systems and techniques based on the concept of the COSO-ERM framework. Specifically, we have defined the following 18 risks as major risks* and are responding to them by building information management and monitoring systems at each department responsible for managing these risks on a consolidated basis. In addition, we periodically review the effectiveness of management systems through our internal committees. Moreover in accordance with the medium-term management plan, we conduct risk assessments across the company to reevaluate the risks we are currently aware of and identify risks comprehensively.
- Compliance Risks
- Legal Risks (Excluding Compliance Risks)
- Risks Associated with Trade Security Policy Management
- Risks Associated with Customs
- Country Risks
- Commodity Price Risks (Specific, Important Product)
- Credit Risks
- Investment Risks
- Stock Price Risks
- Foreign Exchange Rate Risks
- Interest Rate Risks
- Financing Risks
- Information System and Security Risks
- Labor Management Risks
- Human Resources Risks
- Risks Associated with the Appropriateness of Financial Reporting
- Risks Associated with Internal Control
- Environmental and Social Risks
Structures and Systems
Risk Management Structure
Risks associated to business operations are managed under oversight from the board of directors, within the responsibilities mandated to our division companies, Headquarters Management Committee (HMC) , and relevant committees.
ITOCHU has established internal committees and responsible departments in order to address the various risks associated with the Group's business operations, such as market risk, credit risk, country risk, and investment risk. At the same time, on a Group basis ITOCHU has developed the risk management systems and methods to manage various risks individually and on a companywide basis. Those include a range of management regulations, investment criteria, risk exposure limits, and transaction limits, as well as reporting and monitoring systems. Moreover, ITOCHU regularly reviews the effectiveness of its risk management systems and reports on results and findings to the board of directors.
At the Group level, ITOCHU's structural approach to risk management is overseen by the President and Chief Operating Officer (COO) and the Board of Directors and aims to ensure timely and sound executive decision making. The HMC, which is chaired by the President and COO and comprised of the Chairman and Chief Executive Officer (CEO) and other executives appointed by the President and COO, is the committee that sits at the highest level regarding our risk management system. Subsequent committees that report up to the HMC, also referred to as Principal Internal Committees, which include the Internal Control Committee, Disclosure Committee, ALM Committee, Compliance Committee, Sustainability Committee, Investment Consultative Committee, are responsible for identifying and addressing risks and incidents in their respective fields.
The Sustainability Committee, one of the Principal Internal Committees introduced above, is tasked to promote sustainability in the ITOCHU Group's company-wide risk management. The Committee manages operational ESG risks such as human rights risks, health and safety risks, climate risks, and natural disaster risks, as well as ESG risks related to investments. The Committee cooperates with other Committees as necessary and makes decisions on policies and initiatives to address ESG risks and operational improvements to further mainstream sustainability concerns in our risk management culture. Activities and findings are compiled by the Committee and reported to the Board of Directors annually.
At the individual Company level, each Company's President reports to the Division Company Management Committee (DMC), an advisory body to the Companies. The DMC deliberates on important issues such as those regarding investments, lending, assurance, and business management that have the potential to substantially impact the management of each company. If the risks identified or escalated exceed beyond the responsibilities mandated to the DMC, depending on the gravity of the risk and upon deliberation with other committees as necessary, risk issues may be escalated to the HMC and/or the Board of Directors.
ITOCHU is a company with Audit & Supervisory Board Members and endeavors to strengthen the monitoring/supervising function and ensure the transparency of decision making by having the Audit & Supervisory Board Members (including outside Audit & Supervisory Board Members) fully monitor corporate management. Auditors are therefore independent from the Committees within our risk management structure, including the HMC, but do attend Committees to perform their monitoring/supervising responsibilities. The executives chairing each respective Committee is also required to report to the HMC and/or the President and COO as necessary. The Audit Department directly under COO and other corporate staff departments oversee risks and our group-wide approach to managing risks as assigned within their mandated responsibility, and are also required to support the HMC and their subsequent Committees.
- Organization chart regarding the ITOCHU Group's corporate governance structure and internal controls system
- Overview of ITOCUH Group's main internal committees
With the business environment being filled with rapid changes and uncertainty, the ITOCHU Group recognizes the importance of predicting and preparing for various eventualities. As such, we create and analyze various risk scenarios regarding the various elements of the macroeconomic environment, such as political, legal, economic, socioeconomic, and technological factors, and consider relevant future impacts in our management planning.
Please see here for our non-financial capital PEST analysis reported in the Integrated Report.
Risk Capital Management* and Management of Concentration Risk
Risk Assets and Risk Buffer
Strict Management of Risk Assets
Our basic operational policy involves first calculating risk assets based on the maximum amount of possible future losses from all assets on the balance sheet including investments and all off-balance-sheet transactions. Second, we manage the amount of risk assets within the limits of our risk buffer (Total shareholders' equity + Non-controlling interests). As we promote investments that will lead to evolve existing business moving forward, we will work to maintain risk assets within the limits of our risk buffer, conduct strict risk management, and further strengthen our financial position.
Business Investment Management
Along with strategic business alliances, business investment is an important means of creating new businesses. To actively promote strategic investments in areas of strength in a timely manner, we choose the optimal structure from a wide range of methods, such as establishing a wholly owned subsidiary, implementing joint investment with partners, and participating in management through M&As or converting to a consolidated subsidiary.
In principle, we hold investments continuously. After making each investment, we work to maximize the investee's corporate value and to expand trading profit and dividends received by fully utilizing our Groupwide capabilities. Given such considerations as larger-scale investments in recent years, we are rigorously screening the appropriateness of the business plan and acquisition price. For existing investments, to increase investment earnings and to exit quickly from low-efficiency assets, we are further strengthening monitoring procedures, centered on instituting more rigorous exit criteria and thoroughly implementing periodic investment review.
Decision-Making Process for New Investments
A multilayered decision-making process that achieves quick decision-making by giving a certain level of discretion to the Division Companies while striving to pursue investment return and curb investment risk.
Business Investment Process
Starting with the impact of COVID-19, the business environment changed dramatically in FYE 2021.
Against this background, we steadily implemented strategic investment at the right time and divested businesses which are less efficient or past the peak.
We cleared up business concerns and further strengthened our economy-resilient earnings base.
At the same time, we strictly implemented various processes, including the verification of the validity of business plans at the time of investment decisions, and meticulously monitored those decisions after investing. This allowed us to maintain a high ratio of profit-making group companies at 82.4%.
Number of Consolidated Subsidiaries and Share of Group Companies Reporting Profits
Security Risk Management
Policy and Basic Concept
The ITOCHU Group aims to reduce and avoid information and data security risks by taking a structured approach to ensure a high level of information security. The Information Security Policy is communicated to all of our executives and employees and serves as the overarching policy that guides our information management initiatives. We have also established the Information Management Code, which includes a code of conduct specific to information and data security to which our executives and employees must comply to. More specifically, rules and standards are strictly set regarding the management of personal information, documents, and IT security to prevent information leakage and breaches.
Structures and Systems
|IT Strategy Council||
Deliberates regarding IT Strategy (Annual IT Strategic Plan, etc.)
ITOCHU has formulated a company-wide information strategy for digital transformation (DX) and data-driven managementｔ and is aiming for IT-based management. In order to ensure a high level of information security that supports these management foundations, we continue to take thorough measures for crisis management, including the establishment of security guidelines, the expansion of security infrastructure, and the strengthening of technical security measures for malware, etc.
We routinely collect the latest information regarding potential cyber threats by analyzing system logs and malware. Additionally, when incidents do occur, we respond instantly by investigating their causes, discussing possible countermeasures, and restoring services. This is done by the ITOCHU Computer Emergency Readiness, Response & Recovery Team (ITCCERT) – a cyber security team whose members are senior cyber security analysts. In FYE 2018, we established ITCCERT space in our IT & Digital Strategy Division to further enhance security countermeasures across the entire Group and to develop security personnel. We also provide training programs to develop technicians proficient in cyber security. There are few examples of user companies in Japan that are working as actively as we are to develop systems and respond to information security risk. Moving forward, we plan to maintain these initiatives and make enhancements where necessary to ensure sustainable growth that is free from cyber threats.
We periodically engage in the training programs listed below to maintain and improve our information security program.
- We give training to all employees on how to identify and respond to targeted e-mail attacks twice a year.
- All global employees including those in group companies are subject to a mandatory, simultaneous e-learning course on information security, which is held every three years.
- Several times a year, the ITCCERT leads an internal cyber security workshop for the ITOCHU Group companies.
- Policies regarding information security and the management of personal information are required to be communicated to employees upon hiring. If amendments or updates are made to these policies, all executives and employees receive a notification of the changes made. Employees are also updated on such amendments in their periodic e-learning trainings.
Cyber security is especially important to us given that our BCP is supplemented by IT solutions which have enabled us to maintain business operations during the COVID-19 pandemic. Such IT solutions include our adoption of thin clients in all of our internal computers, WEB-based teleconferencing systems, and cloud systems. We ensure that cyber security is monitored in these systems by requiring that all company-wide services and tools are subject to prior assessments.
Business Continuity Plan
In order to ensure business continuity under extreme circumstances, including natural disasters (such as major earthquakes), pandemics, terrorist attacks, cyber-attacks and security incidents, the ITOCHU Group establishes a Business Continuity Plan (BCP). The BCP aims to prepare us for unpredictable incidents and minimize disruptions to our business. It is subject to regular reviews and revised as necessary.
The BCP outlines four stages between the occurrences of a major incident to the full recovery of our business: 1. Emergency response and immediate recovery 2. BCP implementation 3. Operational recovery 4. Full recovery. Each stage in the BCP clearly appoints responsibilities to certain personnel and outlines response protocols. The ITOCHU Group's BCP is subject to all group-wide operations and is supplemented by business segment and department-specific provisions.
Regarding the COVID-19 Pandemic that began in late 2019, the ITOCHU Group responded by establishing an emergency response task force. In addition to ensuring the health and safety of our immediate employees and their families, as a trading company that prides itself in consumer goods, it is also important to us that we fulfill our duty to consumers and their livelihoods by maintaining stable operations in our various supply chains. By taking a risk-based approach to handling the COVID-19 Pandemic but also prioritizing business continuity, we continued to do our best in fulfilling our social responsibility.